This is a question that often comes up during webinars. How to evidence something that ISO 9001:2015 does not compel to document?
This is why I believe ISO 9001:2015 is better understood from the point of view of an organization that had never implemented a quality system and is starting from scratch. Let me answer with an example. Consider an organization that has nothing written about risks. How can they evidence that risks were determined, evaluated and actions were taken?
Let us consider the process “Buy material”.
Can anyone order materials to a supplier?
- No, only authorized functions - Can you order a material from any supplier?
No, only suppliers included in the Suppliers Approved List - Can delivered materials be sent directly to production?
No, only after a quality control done by the warehouse. - Can non-conforming material be sent to production inadvertently?
No, non-conforming material is labeled as non-conforming as is segregated to a special space. - Come on people operate your process they can fail.
Yes, they can fail but yo minimize that we defined competencies for each function, we select and train people according to those competencies
You see, these are things that an organization with a quality management system already implemented is already doing to avoid or reduce risks, without using that terminology. So, search for evidences like these. I’m sure you can find them if you put another kind of lenses.
The following material will provide you more information about auditing: